Domain Abuse Reporting
Patrick Jones Senior Director, ICANN
April 2019 Netnod Spring Meeting Introductions
• 13 years at ICANN, including 5 in ICANN Security team
• ICANN Office of the CTO leads the DAAR project
| 2 | 3 Domain names are often abused for fraudulent purposes online
| 4 Therefore …
• A growing need for proactive detection and mitigation strategies by providers
Currently:
• Lack of knowledge about abuse concentrations in networks
• Lack of knowledge about how providers perform in comparison to their peers
| 5 Abuse Monitoring?
Abuse not monitored mainly because: ¡ Thin profit margins, monitoring not seen as value given costs ¡ No unified methodology for abuse monitoring/reporting ¡ Mainly not enough incentives to monitor abuse
| 6 Domain Abuse Activity Reporting (DAAR)
| 7 The Domain A system for reporting on domain Abuse Activity name registration and abuse data across TLD registries and Reporting registrars System
| 8 How does this differ from other reporting systems?
• Studies all gTLD registries and registrars for which we can collect zone and registration data
• Allows for historical research
• Studies multiple threats: phishing, botnet, malware, and spam
• Employs a large set of abuse feeds (e.g., blocklists)
• Takes a scientific approach: transparent, reproducible
| 9 DAAR project data can be used to
§ Study malicious registration behaviors § Report on threat activity at TLD or registrar level § Study historical security threats or domain registration activity § Assist operational security communities and academic research § Help operators understand or consider how to manage their reputations, anti-abuse programs, or terms of service
More informed security decision making and policy
| 10 DAAR Methodology & Data
| 11 Data Sources
I. DNS zone data II. WHOIS data III. Open source or commercial abuse threat (RBL) data*
*Certain data feeds require a license or subscription
| 12 Methodology
CZDS
List of Resolved Domains DAAR Reputation Metrics per 1 Registries and Registrars
TLD 1 TLD 2
2 DNS Zone Data 3
WHOIS Blacklist/Blocklist
| 13 • Uses • Publicly available methods Centralized Zone Data Service (CZDS) i. DNS Zone • Resolved domain names in zone files Data • Collects • Approximately 1220 gTLDs • Approximately 194 million domains
| 14 ii. WHOIS
§ DAAR uses § published WHOIS registration data § Registrar name and IANA ID
§ Current challenges § Reliable, accurate registrar reporting depends on WHOIS § Scaling data collection
| 15 DAAR uses multiple abuse Reputation Blocklist (RBL) datasets to generate
• Daily raw counts of domains associated with iii) Abuse Threat abuse Data • Daily total and cumulative percentage abuse domains • Calculate monthly/yearly newly added abuse domains • Visual analytics regarding abuse trends
| 16 • DAAR counts “unique” abuse domains iii) Abuse Threat • A domain that appears on any abuse datasets reporting to Data DAAR is included in the counts once
| 17 Reputation Block Lists : Identifying Threats
| 18 Security Threat Types
DAAR collects domain data for
¡ Phishing ¡ Malware ¡ Spam ¡ Botnet Command & Control
| 19 DAAR Criteria for Reputation Blocklist Data Selection
• Threat classification that matches our set of security threats
• Positive reputation in academic literature, in operational and security communities for accuracy, clarity of process
• Broadly adopted across operational security community • Incorporated into commercial security systems • Used by network operators • Used by email and messaging providers
| 20 • RBLs in Browsers
• RBLs in the Cloud and Content-Serving Systems Other • RBLs in Your Social Media Tools • RBLs in the DNS
Reputation • RBLs in commercial firewalls, UTM Block List devices • RBLs in enterprise mail/messaging Uses systems • RBLs and Third-Party Email Service Providers (ESPs)
| 21 Is DAAR an Abuse List Service?
§ ICANN does not compose its own reputation blocklists § DAAR presents a composite of the data that external entities use to block threats
§ DAAR collects the same abuse data that is reported to industry and Internet users and is used by § Commercial security systems § Academia and industry
§ Academic studies and industry use validate these datasets exhibit accuracy, global coverage, reliability and low false positive rates
| 22 Does DAAR Identify All Abuse Data/Types?
§ No. DAAR lists domain names associated with abuse identified by third parties. § Only those names associated with generic TLDs are measured and only for specific abuse types.
| 23 Current Reputation Datasets
Domains only
§ SURBL lists (Spam – Phishing - Malware) § Spamhaus Domain Block List (Spam - Phishing - Malware - Botnet C&C) § Anti-Phishing Working Group (Phishing) § Malware Patrol (Malware, Ransomware, Botnet C&C ) § Phishtank (Phishing domains) § ABUSE.CH (Ransomware tracker, Feodo tracker)
| 24 RBLs in Academia: a Method to Assert RBL Confidence
Partial list of academic studies and citations of RBLs that report to DAAR
• Rotten Apples or Bad Harvest? What We Are Measuring When We Are Measuring Abuse • Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs • Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting • Blacklist Ecosystem Analysis: Spanning Jan 2012 to Jun 2014 • Taster's Choice: A Comparative Analysis of Spam Feeds • Learning to Detect Malicious URLs • Understanding the Domain Registration Behavior of Spammers • The Statistical Analysis of DNS Abuse in gTLDs (SADAG) Report • Shades of grey: On the effectiveness of reputation-based blacklists • Click Trajectories: End-to-End Analysis of the Spam Value Chain
| 25 • The ICANN Governmental Advisory Committee (GAC) expressed interest in spam domains as a security threat in its Hyderabad correspondence to the ICANN Board of Directors… Why? Because
Why Is • Most spam are sent via illegal or duplicitous means (e.g., via botnets). DAAR • Spam is no longer singularly associated with email • Link spam, spamdexing, tweet spam, messaging spam Reporting (text/SMS) • Spam is a major means of delivery for other security threats • Spam has evolved to a (cloud) service: Avalanche, for Spam example, provided domain registrations to customers • DAAR mainly measures domain names found in the bodies of Domains? spam messages • MOST IMPORTANTLY, spam domain reputation influences how extensively or aggressively security or email administrators apply filtering
| 26 How is DAAR Data Useful?
| 27 Overall Abuse Distribution in DAAR Data (January 2019)
28 | 28 Distribution of Domains in gTLDs
Resolved Abused
29 | 29 Distribution of Domains with Different Abuse Types in gTLDs
30 | 30 Project Status
| 31 Project Status
The OCTO Security, Stability & Resiliency (SSR) team
§ Put DAAR methodology for public review and input § Reviewed all the reviews and comments received § Published SSR responses to DAAR comments on 1 February 2019
| 32 Project Status
§ Published the first series of the DAAR monthly reports
§ ICANN published the first monthly report from the DAAR system in February 2019 § The reports contain aggregated and anonymous descriptive statistics and trend analysis on abuse concentrations in gTLDs § Monthly reports published through March 2019 including historical data from January 2018
\
| 33 DAAR & the Open Data Program
§ The data has already enabled constructive and data driven discussions with industry members
§ Open Data Program aims to facilitate access to data that ICANN organization or community creates or curates
§ In cases where licensing permits, DAAR data or reports will be published and included in the Open Data Program
| 34 Project Next Steps
§ Data publication into the Open Data Program
§ Improving the system based on comments and reviews
§ New metrics and analytics based on DAAR
§ Discussion with registries who are interested in viewing their own data
\
| 35 Challenges Ahead
§Registrar level metrics §WHOIS data collection is hard to scale and has inaccuracies
§ccTLD level metrics §Lack global ccTLD zone file access
\
| 36 Where do We Want to Go from Here?
| 37 Measuring Abuse
§ We are always open to discussion on improvements or other ways the data can be used to help inform discussions around DNS abuse
§ If you are a ccTLD and would like to input zone files and use the DAAR data, please contact us
\
| 38 Discussions on DNS Abuse next month
\ 12-13 May 2019
https://www.icann.org/ids | 39 Questions?
Thank You Contact Info: [email protected] [email protected]
@icann
facebook.com/icannorg
youtube.com/icannnews
flickr.com/icann
linkedin/company/icann
slideshare/icannpresentations
soundcloud/icann
| 40